Skip to content
This repository has been archived by the owner on Feb 11, 2025. It is now read-only.

Only use anon credentials for public s3 buckets #187

Merged
merged 4 commits into from
Oct 1, 2021
Merged

Only use anon credentials for public s3 buckets #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e53b18e
Only use anon credentials for public s3 buckets
cmckeen Sep 30, 2021
f0d34af
optimize struct
cmckeen Oct 1, 2021
532a3be
update readme
cmckeen Oct 1, 2021
fcbec60
Update CHANGELOG.md
cmckeen Oct 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Nothing.

## [1.2.2] - 2021-10-01

- [#188](https://github.com/meltwater/drone-cache/pull/188) v1.2.0 breaks EC2 IAM role bucket access

## [1.2.1] - 2021-09-30

### Added
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ GLOBAL OPTIONS:
--path-style AWS path style to use for bucket paths. (true for minio, false for aws) (default: false) [$PLUGIN_PATH_STYLE, $AWS_PLUGIN_PATH_STYLE]
--acl value upload files with acl (private, public-read, ...) (default: "private") [$PLUGIN_ACL, $AWS_ACL]
--encryption value server-side encryption algorithm, defaults to none. (AES256, aws:kms) [$PLUGIN_ENCRYPTION, $AWS_ENCRYPTION]
--s3-bucket-public value Set to use anonymous credentials with public S3 bucket [$PLUGIN_S3_BUCKET_PUBLIC, $S3_BUCKET_PUBLIC]
--sts-endpoint value Custom STS endpoint for IAM role assumption [$PLUGIN_STS_ENDPOINT, $AWS_STS_ENDPOINT]
--role-arn value AWS IAM role ARN to assume [$PLUGIN_ASSUME_ROLE_ARN, $AWS_ASSUME_ROLE_ARN]
--gcs.api-key value Google service account API key [$PLUGIN_API_KEY, $GCP_API_KEY]
Expand Down
6 changes: 6 additions & 0 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,11 @@ func main() {
Usage: "server-side encryption algorithm, defaults to none. (AES256, aws:kms)",
EnvVars: []string{"PLUGIN_ENCRYPTION", "AWS_ENCRYPTION"},
},
&cli.StringFlag{
Name: "s3-bucket-public",
Usage: "Set to use anonymous credentials with public S3 bucket",
EnvVars: []string{"PLUGIN_S3_BUCKET_PUBLIC", "S3_BUCKET_PUBLIC"},
},
&cli.StringFlag{
Name: "sts-endpoint",
Usage: "Custom STS endpoint for IAM role assumption",
Expand Down Expand Up @@ -546,6 +551,7 @@ func run(c *cli.Context) error {
Endpoint: c.String("endpoint"),
Key: c.String("access-key"),
PathStyle: c.Bool("path-style"),
Public: c.Bool("s3-bucket-public"),
Region: c.String("region"),
Secret: c.String("secret-key"),
StsEndpoint: c.String("sts-endpoint"),
Expand Down
1 change: 1 addition & 0 deletions storage/backend/s3/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,5 @@ type Config struct {
Secret string

PathStyle bool // Use path style instead of domain style. Should be true for minio and false for AWS.
Public bool
}
6 changes: 5 additions & 1 deletion storage/backend/s3/s3.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,11 @@ func New(l log.Logger, c Config, debug bool) (*Backend, error) {
Endpoint: &c.Endpoint,
DisableSSL: aws.Bool(!strings.HasPrefix(c.Endpoint, "https://")),
S3ForcePathStyle: aws.Bool(c.PathStyle),
Credentials: credentials.AnonymousCredentials,
}

// Use anonymous credentials if the S3 bucket is public
if c.Public {
conf.Credentials = credentials.AnonymousCredentials
}

if c.Key != "" && c.Secret != "" {
Expand Down